Lawmakers rally around cyber legislation following string of attacks

Lawmakers rally around cyber legislation following string of attacks

Lawmakers on Capitol Hill are scrambling to introduce legislation to address a devastating spike in ransomware and other cyberattacks on critical organizations such as Colonial Pipeline and JBS USA.

The effort marks a rare area of bipartisanship in an increasingly divided Congress, with lawmakers under pressure to confront cyber threats emanating from both foreign nations and cybercriminal groups making millions from holding companies for ransom.

“We think it’s essential for us to get our hands around this issue of ransomware, Colonial Pipeline is the biggest example, and then JBS, the meatpacking company, but it happens every day, and it happens to smaller companies too and individuals,” Senate Homeland Security and Governmental Affairs Committee ranking member Rob PortmanRobert (Rob) Jones PortmanHillicon Valley: Senate report finds major cyber shortcomings in federal agencies | Gig firms seek Mass. ballot question to classify workers as contractors | Blizzard's president steps down after workplace protests Senate report finds major cybersecurity shortcomings among federal agencies The Hill's Morning Report - Presented by Facebook - White House, Dems play blame game over evictions MORE (R-Ohio) told The Hill Thursday.

ADVERTISEMENT

“We need a better federal defense and offense on it, and we need to be sure it’s a partnership with the private sector,” he added.

Portman is currently working with Senate Homeland Security Committee Chairman Gary PetersGary PetersSenate report finds major cybersecurity shortcomings among federal agencies Biden pays tribute to late Sen. Levin: 'Embodied the best of who we are' Former longtime Sen. Carl Levin dies at 87 MORE (D-Mich.) on legislation to address the increase in ransomware and other crippling cyberattacks on critical organizations.

Peters told reporters last week that the legislation would be “comprehensive” and was necessary as cyberattacks have increasingly become “attacks on our very way of life.”

“I think every member on this committee agrees that this committee will focus our collective attention and resources on dealing with this problem,” Peters testified at committee hearing last week.

The bipartisan bill is part of a larger effort by Congress to address the rapidly expanding cyber threats, which have been in the spotlight in recent months due to both foreign and cybercriminal attacks.

Ransomware attacks disrupted operations in May at both Colonial Pipeline, the provider of 45 percent of the East Coast’s fuel, and JBS USA, the largest beef supplier in the nation, endangering critical supply chains.

ADVERTISEMENT

These attacks came as the federal government continued to recover from the SolarWinds hack, in which Russian-government-backed hackers compromised nine federal agencies, and vulnerabilities on Microsoft’s Exchange Server application that potentially compromised thousands of groups.

In the wake of these attacks, Senate Majority Leader Charles SchumerChuck Schumer'The Squad' celebrates Biden eviction moratorium Overnight Health Care: Florida becomes epicenter of COVID-19 surge | NYC to require vaccination for indoor activities | Biden rebukes GOP governors for barring mask mandates National Organization for Women calls for Cuomo resignation MORE (D-N.Y.) last week called on Peters and other Senate committee leaders to conduct a “government-wide review” of the incidents and make rolling out legislation to strengthen U.S. cybersecurity a priority.

“We in Congress have a responsibility to conduct oversight and determine whether our government needs an additional authority and resource to take the fight to cyber criminals and foreign intelligence services,” Schumer said on the Senate floor.

Peters is not the only committee leader working to put together cyber legislation.

Senate Intelligence Committee Chairman Mark WarnerMark Robert WarnerOvernight Defense: Police officer killed in violence outside Pentagon | Biden officials back repeal of Iraq War authorization | NSC pushed to oversee 'Havana Syndrome' response One officer dead after violent incident outside Pentagon Bipartisan bill would create NSC position to oversee 'Havana syndrome' response MORE (D-Va.), Vice Chairman Marco RubioMarco Antonio RubioRubio presses DNI to investigate alleged unmasking of Tucker Carlson Senate holds sleepy Saturday session as negotiators finalize infrastructure deal Break glass in case of emergency — but not for climate change MORE (R-Fla.), and committee member Sen. Susan CollinsSusan Margaret CollinsGraham's COVID-19 'breakthrough' case jolts Senate The Hill's Morning Report - Presented by Facebook - Senate finalizes .2 trillion bipartisan infrastructure bill Schumer: Democrats 'on track' to pass bipartisan deal, .5T budget MORE (R-Maine) are circulating draft legislation meant to tackle the threat of ransomware attacks, first reported by CNN on Wednesday.

The draft bill, which was obtained by The Hill, would require federal agencies, federal contractors and owners and operators of critical infrastructure to report cybersecurity incidents within 24 hours to the Cybersecurity and Infrastructure Security Agency (CISA).

It would give CISA 180 days after the bill became law to establish a reporting system to compile these reports and require the agency to submit annual potentially classified reports to Congress on all incidents.

The bill would critically also grant liability protections to groups that report breaches, with current voluntary standards for reporting often complicating the reporting process in recent years.

“I haven’t compared theirs and ours, it’s just based on our work in Intel and what we’ve learned, and as far as the rollout, we’d love to have it next week, but if not it will probably be after we come back in July,” Rubio told The Hill on Thursday.

In a separate effort, Sens. Lindsey GrahamLindsey Olin GrahamThe Hill's 12:30 Report - Presented by AT&T - Simone wins bronze with altered beam routine The job of shielding journalists is not finished The Hill's Morning Report - Presented by Facebook - White House, Dems play blame game over evictions MORE (R-S.C.), Sheldon WhitehouseSheldon WhitehouseLobbying world Kavanaugh conspiracy? Demands to reopen investigation ignore both facts and the law Christine Blasey Ford's lawyers blast FBI's Kavanaugh investigation as 'sham' MORE (D-R.I.), Richard Blumenthal (D-Conn.), and Thom TillisThomas (Thom) Roland TillisSeven-figure ad campaign urges GOP to support infrastructure bill Graham's COVID-19 'breakthrough' case jolts Senate Biden's bipartisan deal faces Senate gauntlet MORE (R-N.C.) on Thursday reintroduced legislation originally rolled out in 2018 that would crack down on cyber criminals.

Their bill, the International Cybercrime Prevention Act, would tighten consequences for hacking a critical infrastructure organization, such as a dam or a hospital, along with expanding the Justice Department’s ability to go after botnet groups.

“What we’re seeing here is not just a weed, it’s an invasive species, it’s comparable to an invasive species that needs to be stopped in your garden before it takes over everything in that garden,” Blumenthal told reporters of cyber threats at a Capitol Hill press conference Thursday. “Here the garden will succumb to that invasive species if we don’t stop it.”

Graham said at the same press conference that he would “insist” on adding it to any infrastructure package the Senate potentially agrees on as a way to move it through Congress quickly.

“Now we’ve got a moment in time when we can’t ignore it anymore, I now deem this infrastructure,” Graham said. 

One key issue being looked at by both Capitol Hill and the Biden administration is creating mandatory cyber legislation or regulations to force critical infrastructure groups to enhance security.

The Transportation Security Administration last month issued a new security directive requiring pipeline companies to report cybersecurity incidents to CISA within 12 hours of them occurring, and are working on further regulations.

Sen. Ron WydenRonald (Ron) Lee WydenThe job of shielding journalists is not finished Up next in the culture wars: Adding women to the draft Democrats warn shrinking Biden's spending plan could backfire MORE (D-Ore.), a member of the Senate Intelligence Committee, on Thursday criticized what he described as past “happy talk bills” that created only voluntary cybersecurity standards and left the door open to more attacks. 

“I am pleased that it looks like we are going to insist on more accountability, so to speak, with contractors,” Wyden told The Hill.

While there are multiple bills with several sponsors in the mix, there is no disagreement that following a year in which hackers targeted everything from hospitals to schools to government agencies, action must be taken to stem the tide of attacks.

“You look back at some of the previous bills and it was not what I think the country needed and I think now every senator is saying to themselves, ‘this is pretty obvious,’ ” Wyden said.